1. Field of the Invention
This invention relates to a process for exchange of rights between microprocessor cards. The rights to be exchanged between microprocessor cards can be of any nature and provide access to various services. They are most often linked to financial transactions (credit, debit). The invention therefore finds a preferred application in what it is fitting to call "electronic payment." In the case of such transactions, the cards constitute electronic "purses."
2. Discussion of Background
The use of electronic purses is possible only if certain conditions are met: the security of the exchange has to be total, the cards have to be unable to be counterfeited, regardless of the handlings that they undergo, and finally counterfeit purses must be impossible to produce.
Resorting to the technology of memory cards is justified to the extent that this technology uses components especially designed to offer a very high level of security. These components consist of a "monochip" chip comprising a microprocessor with its programs, its memories and its input-output means. Memories and input-output means are under the control of the microprocessor and its program, which cannot be modified externally.
The first level of security to be assured relates to the exchange of rights between cards so that it is impossible to simulate a reloading of one's own card, which would amount to creating counterfeit money.
The security of the exchange relies on standard techniques of data-processing security. It involves guaranteeing the integrity and the authenticity of the message sent by the debit card to the credit card.
FIG. 1 illustrates an example of known procedure to assure an exchange in total security. Such a procedure is described, for example, in the article of P. REMERY, J. C. PAILLES, F. LAY titled "Electronic Payment" published in the journal "L'echo des Recherches" ["The Echo of Research"], no. 134, 4th quarter 1988, pages 15-24.
In the transaction illustrated in FIG. 1, there are the following operations:
card A to be debited is defined by an identity (a) and it exhibits a credit balance; card B to be credited is defined by an identity (b) and by a number N which is, for example, the number of transactions that it has already performed; PA1 card B begins by identifying itself to card A to be debited by sending its identity (b) and number N to it; it also indicates amount M that it desires to receive; PA1 card A verifies if its balance is at least equal to requested amount M; PA1 in the negative, the debit order would be refused; in the affirmative, card A reduces its balance by amount M and calculates a voucher C (or proof), which is a function F of amount M, of identity (b) of card B to be credited and of number N, or F(M,b,N); PA1 card A sends this voucher F(M,b,N) to card B; PA1 the latter receives the voucher F(M,b,N) and, by the inverse function of function F, calculates an amount M, an identity (b) and a number N; PA1 card B verifies if the amount thus calculated is indeed requested amount (M), if the calculated identity is indeed its own (b) and if the calculated number is indeed the number that it had selected (N); PA1 in the affirmative, card B increments number N by one unit for the next transaction and increases its balance by amount M in question. PA1 to select a function F "hard" to decipher, the difficulty is that it is difficult to evaluate the hardness of a cryptographic function, PA1 to change regularly (every month, for example), the key of the cards, in particular when they are reloaded; in this case, the life of a clone is limited (to one month in the example given). PA1 providing multiple ciphering keys [K1, K2, . . . , Km, . . . , Kn, . . . ), which are defined previously, PA1 providing a card to be credited (B) one of these multiple keys, or (Kn), where key number n is a function (u) of identity (b) of card (B), (u(b)=n), PA1 providing a card to be debited (A) certain varied keys Ka1, Ka2, . . . , Kan, . . . which are each a function of multiple keys K1, k2, . . . and of identity (a) of card (A) to be debited, these varied keys being loaded in card (A) during its customization, PA1 providing the card (A) to be debited the identity (b) of card (B) to be credited and having card (A) calculate row n of the varied key to be used by function u(b) and deduct from it that of varied keys Kan, with which it is to calculate voucher (C), PA1 having card (B) to be credited calculate varied key Kan which was used in the calculation of the voucher that it received and the latter with its own key (Kn) and identity (a) corresponding to card (A) to be debited, card (B) to be credited then being able to decipher voucher (C) with this varied key Kan.
FIG. 2 illustrates how the electronic money can circulate in a system equipped with cards able to use the process which has just been described. An issuer of money 10 has authorized banks 20 and 30, each containing use working accounts (a) and (b). The users possess cards 25, 35 able to exchange rights with the banks.
In the diagram illustrated, bank 20 is supposed to have loaded card 25 with an amount of 100 F (operation 1); card 25 has been debited by 50 F (operation 2) for the benefit of card 35. The latter has been debited by 200 F for the benefit of its bank 30 (operation 3).
If this procedure is already satisfactory in some respects, it remains to solve the problem of the selection of function F that is used to calculate voucher C.
It is clear that this function is to be able to be calculated only by purse cards, and not by a PC type computer, for example, otherwise the simulation of a reloading of one's own card would be easy. A first solution consists in taking up a function F which is secret. A second solution consists in defining F by one (or more) secret key(s), so that it is impossible to perform a transaction without the knowledge of this (or these) key(s).
The invention is oriented toward this second solution, the first being not very reliable, for the reason that secret F cannot be guaranteed, in particular because of the necessity for writing and testing the program making it possible to calculate F during the development of such a card.
With the second solution, the security of the system will depend on the ability of function F to withstand attempted fraud.
More precisely, the question is to know if, by knowing parameters M (amount), b (identity of the card to be credited), N (number of transactions already performed) and voucher C=F.sub.K (M,b,N), where function F depends on a key K, it is possible to get back to key K used by identity card a.
If so, the secret would be penetrated and it would be possible to simulate reloadings of any card (b), since calculation F.sub.K (M,b,N) would be possible whatever (b) may be. In practical terms, it would be possible to produce software on a PC computer and a card reader making it possible to reload any card.
This software and the computer using it would therefore constitute a card "clone" that could be used for reloading any card by simulating the debit of a counterfeit card (a') and the credit of a genuine card (b). The counterfeit money thus created would be in some way "laundered" after this operation and nothing would make it possible any longer to distinguish, in card b, what comes from any particular reloading.
A swindler wanting to discover a key K has two possibilities:
a) either the physical investigation of the memory of the card by instruments such as an electron microscope,
b) or the cryptanalysis of the vouchers (or proofs) produced by the debited card, by hoping, with the largest known computers, to solve the equation C=F.sub.K (M,b,N) where C, P, b, N are known and K is unknown.
To avoid the first type of fraud, there are no other solutions than to hide the sensitive parts of the component (memory, bus) by metal screens. Furthermore, it is not necessary that the investigation of a card provide all the secrets of the system, therefore make possible simulating any debit card, because then there would no longer be means to detect the frauds.
To avoid the second type of fraud, it is possible to think of two responses: